Mid-August 2008: The Chinese government apparently hacks into the 2008 presidential campaigns of Barack Obama and John McCain.

Admiral Dennis Blair (Credit: Sasakawa Peace Foundation USA)

Admiral Dennis Blair (Credit: Sasakawa Peace Foundation USA)

Hacking teams traced back to China are caught breaking into the computers of the Obama and McCain campaigns, resulting in high-level warnings to Chinese officials to stop. The computers, laptops, and mobile devices of top campaign aides and advisers who receive high-level briefings are particularly targeted. “Spear phishing” is used to get targets to open an attachment containing a virus that would allow data to be stolen from their computer.

Obama campaign manager David Plouffe will later say he got a call in the middle of August 2008 alerting him to the attack and that the FBI was investigating. However, the virus is extremely sophisticated, and it takes months for it to be completely removed from the networks of the two campaigns.

In a May 2009 speech, President Obama will make a general mention of the attacks: “Hackers gained access to emails and a range of campaign files, from policy position papers to travel plans.” However, the involvement of China’s government won’t be publicly revealed until June 2013.

Dennis Blair, director of national intelligence from 2009 to 2010, will comment that year, “Based on everything I know, this was a case of political cyberespionage by the Chinese government against the two American political parties. They were looking for positions on China, surprises that might be rolled out by campaigns against China.” (NBC News, 6/6/2013)

July 12, 2011: Clinton’s public comments on transparency contradict her personal practices.

Clinton speaks to the Open Government Partnership on July 12, 2011. (Credit: Open Government Partnership}

Clinton speaks to the Open Government Partnership on July 12, 2011. (Credit: Open Government Partnership}

Clinton gives a speech to inaugurate the Open Government Partnership, an international initiative to promote government transparency. “When a government hides its work from public view, hands out jobs and money to political cronies, administers unequal justice, looks away as corrupt bureaucrats and businessmen enrich themselves at the people’s expense, that government is failing its citizens. And most importantly, that government is failing to earn and hold the trust of its people. And that lack of trust, in a world of instantaneous communication, means that the very fabric of society begins to fray and the foundation of governmental legitimacy begins to crumble.”

In 2015, Danielle Brian, the executive director of the nonpartisan Project On Government Oversight (POGO), will say that Clinton’s comments “demonstrate extraordinary hypocrisy given that while Clinton was giving this speech she had created essentially a second set of books where her communications were not being captured for the National Archives [and Records Administration (NARA)].” Furthermore, keeping all of her emails out of reach “undermines the whole point of the Open Government Partnership.” (US Department of State, 7/12/2011) (Bloomberg News, 3/5/2015)

September 20, 2011: Clinton’s State Department pledges to improve processing FOIA requests while Clinton keeps her emails out of reach of all such requests.

Abedin (standing) and Clinton (on cell phone) attend a meeting with leaders of the Open Government Partnership in New York on September 20, 2011. (Credit: Politico)

Abedin (standing) and Clinton (on cell phone) attend a meeting with leaders of the Open Government Partnership in New York on September 20, 2011. (Credit: Politico)

The US is one of the founding members of the Open Government Partnership, an international initiative joined by over 60 countries to promote government transparency. The US State Department makes several commitments as part of a transparency action plan. One is to overhaul how the US government stores and manages its records, to create “a reformed, digital-era, government-wide records management framework that promotes accountability and performance.” It also pledges to reform how it processes requests under the Freedom of Information Act (FOIA), making government information more searchable and available to the public.

In 2015, Ryan Shapiro, a FOIA expert at the Massachusetts Institute of Technology, will point out that Clinton made this commitment even while she attempted to keep all of her emails from future public scrutiny. “Secretary Clinton’s hypocritical and self-serving stance on transparency should be deeply troubling to everyone who cares about open government and accountability. It’s ironic that Secretary Clinton championed an open government partnership for other countries while simultaneously working diligently to subvert transparency at home.” (Bloomberg News, 3/5/2015) (Opengovpartnership.org, 1/13/2016)

2012: The State Department is the worst US government department in dealing with FOIA requests.

Project On Government Oversight logo (Credit: POGO)

Project On Government Oversight logo (Credit: POGO)

According to the Center for Effective Government, a government watchdog group which will later merge into the Project On Government Oversight (POGO), in the fiscal year of 2012, Clinton’s last full year in office, the State Department ranks last out of the 15 major government departments for its handling of Freedom of Information Act (FOIA) requests. It earns an “F” grade, with a score well below any other department. (Bloomberg News, 3/5/2015) (Center for Effective Government, 3/5/2016)

June 6, 2013: Chinese government hacker attacks on US government targets have steadily increased since 2008.

Shawn Henry (Credit: public domain)

Shawn Henry (Credit: public domain)

In the summer of 2008, the presidential campaigns of Barack Obama and John McCain had their computers successfully breached by hackers apparently working for the Chinese government. According to NBC News, “US officials say that Chinese intrusions have escalated in the years since, involving repeated attacks on US government agencies, political campaigns, corporations, law firms, and defense contractors—including the theft of national security secrets and hundreds of billions of dollars in intellectual property.”

Shawn Henry headed up the FBI’s investigation of the 2008 attacks and now is president of the computer security company CrowdStrike. He says there’s “little doubt” the Chinese government has an aggressive electronic espionage program targeting the US government and the commercial sector. “There’s been successful exfiltration of data from government agencies (by the Chinese) up and down Pennsylvania Avenue.” (NBC News, 6/6/2013)

July 2013: Clinton’s private server is reconfigured to use a commercial email provider.

The MX Logic logo (Credit: MX Logic)

The MX Logic logo (Credit: MX Logic)

The Colorado-based provider, MX Logic, is owned by McAfee Inc., a top Internet security company. This comes one month after Clinton hired the Colorado-based Platte River Networks to maintain her email server, and four months after a hacker named Guccifer publicly exposed Clinton’s private email address for the first time. (The Associated Press, 3/4/2015) 

Computer security expert Matt Devost will later comment: “The timing makes sense. When she left office and was no longer worried as much about control over her emails, she moved to a system that was easier to administer.” (Bloomberg News, 3/4/2015)

March 2, 2015: Clinton spokesperson Nick Merrill incorrectly claims that Clinton’s email practices followed “both the letter and spirit of the rules.”

Nick Merrill (Credit: Skidmore College)

Nick Merrill (Credit: Skidmore College)

Merrill’s comment appears in the March 2, 2015 New York Times story revealing that Clinton used a private email account when she was secertary of state. He won’t say why she did this. (The New York Times, 3/2/2015)

However, on March 12, 2015, Douglas Cox, a professor who focuses on records preservation laws, says: “While Clinton may have technical arguments for why she complied with [the various] rules that have been discussed in the news, the argument that Clinton complied with the letter and spirit of the law is unsustainable.” (Politifact, 3/12/2015)

In May 2016, the State Department’s inspector general will conclude that department officials “did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business.” Her daily use of a private email account for work matters is also determined to be in violation of department rules. (US Department of State, 5/25/2016)

March 4, 2015: Clinton’s private server used a misconfigured encryption system.

Alex McGeorge (Credit: CNBC)

Alex McGeorge (Credit: CNBC)

Alex McGeorge, head of threat intelligence at Immunity Inc., a digital security firm, investigates what can be learned about Clinton’s still-operating server. He says, “There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised. It’s just inherently less secure.” He is encouraged to learn the server is using a commercial encryption product from Fortinet. However, he discovers it uses the factory default encryption “certificate,” instead of one purchased specifically for Clinton.

Bloomberg News reports: “Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. […] Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.”

McGeorge comments, “It’s bewildering to me. We should have a much better standard of security for the secretary of state.” (Bloomberg News, 3/4/2015)

March 18, 2015: The DIA’s former chief technology officer says: “I have no doubt in my mind that [Clinton’s server] was penetrated by multiple foreign powers.”

Bob Gourley (Credit: public domain)

Bob Gourley (Credit: public domain)

He adds, “To assume otherwise is to put blinders on.” This is according to Bob Gourley, who was the chief technology officer at the DIA [Defense Intelligence Agency] from 2005 to 2008 and is the founder of Cognitio, a cybersecurity consulting firm. (Bloomberg News, 3/18/2015)

March 18, 2015: Clinton’s private server was not protected against hackers who might impersonate her identity.

A security evaluation of Clinton's server. (Credit: Bloomberg View)

A security evaluation of Clinton’s server. (Credit: Bloomberg View)

Bloomberg News reports, “According to publicly available information, whoever administrated [Clinton’s private server] didn’t enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending emails that appear to be from clintonemail.com. SPF is a basic and highly recommended security precaution for people who set up their own servers.”

Bob Gourley, who was the chief technology officer at the DIA [Defense Intelligence Agency] and is the founder of his own cybersecurity consulting firm, says: “If [an SPF] was not in use, [hackers] could send an email that looks like it comes from her to, say, the ambassador of France that says, ‘leave the back door open to the residence a package is coming.’ Or a malicious person could send an email to a foreign dignitary meant to cause an international incident or confuse US foreign policy.” This also would have made it easy for hackers to launch “spear phishing” attacks from Clinton’s account. Other government officials could have thought they were getting a real email from Clinton and then be tricked into having their own accounts breached.

Clinton’s spokesperson claims there is no evidence her account was ever successfully exploited in this manner. But Bloomberg News points out, “The problem with such confidence is that if hackers exploited the SPF vulnerability, Clinton’s office would likely never have known her domain name…was being used surreptitiously.” (Bloomberg News, 3/18/2015)

March 18, 2015: Clinton’s team won’t answer basic questions about the security of her private server.

John A. Lewis (Credit: John Hopkins University)

John A. Lewis (Credit: John Hopkins University)

Clinton spokesperson Nick Merrill claims that when Clinton set up her private email server, “Robust protections were put in place and additional upgrades and techniques were employed over time as they became available. There was never evidence of a breach, nor any unauthorized intrusions.”

However, Merrill declines to say who exactly was in charge of maintaining the server and ensuring its security. Furthermore, it’s unclear what sort of security vetting that person or persons received, if any. Additionally, Merrill won’t reveal if other departments that protect government communications, such as the FBI or the NSA, were ever told of the server’s existence, and if so, if they helped provide security for it.

James A. Lewis, who held senior technology posts at the White House and State Department, comments that emails “that run on commercial services are vulnerable to collection. […] I don’t think people realize how much of this information is available to foreign intelligence services.” (Bloomberg News, 3/18/2015)

Contrary to Merrill’s claim, a May 2016 State Department inspector general report will reveal that there were hacker attacks on Clinton’s server.

October 2015—Mid-May 2016: Hackers, alleged to be Russian, target almost 4,000 Google accounts related to US politics.

Center for American Progress logo (Credit: public domain)

Center for American Progress logo (Credit: public domain)

According to a June 17, 2016 Bloomberg News article, during this time period, the same allegedly Russian hackers who breach the computers of the DNC [Democratic National Committee] and Clinton’s presidential campaign “[burrow] much further into the US political system, sweeping in law firms, lobbyists, consultants, foundations, and the policy groups known as think tanks, according to a person familiar with investigations of the attacks.” Almost 4,000 Google accounts are targeted by “spear phishing,” which involves tricking targets to give log-in information so their data can be accessed. The Center for American Progress, a think tank with ties to Clinton and the Obama administration, is one known target.

Bloomberg News will further report that, “Based on data now being analyzed, various security researchers believe the campaign stems from hackers linked to Russian intelligence services and has been broadly successful, extracting reams of reports, policy papers, correspondence and other information.”

The Russian government denies any involvement, but cybersecurity experts who have investigated the attacks believe the hackers are working for Russia. It is believed that either or both of two major Russian hacking groups, Fancy Bear (or APT 28) and Cozy Bear (or APT 29) are behind the attacks. (Bloomberg News, 6/17/2016)

February 4, 2016: Bloomberg News reveals some hints about the contents of Clinton’s 22 “top secret” emails.

Senator Richard Burr (Credit: public domain)

Senator Richard Burr (Credit: public domain)

Bloomberg News reports: “US officials who reviewed the emails tell us they contain the names of U.S. intelligence officers overseas, but not the identities of undercover spies; summaries of sensitive meetings with foreign officials; and information on classified programs like drone strikes and intelligence-collection efforts in North Korea.”

Senate Intelligence Chair Richard Burr, who has also read all 22 emails, also offers some hints. He says Clinton should have known to better protect the information they contain. “They are definitely sensitive. Anybody in the intelligence world would know that the content was sensitive.” (Bloomberg News, 2/4/2016)

February 4, 2016: Clinton still holds a security clearance despite her mishandling of “top secret” information.

Bloomberg News reports that there is a debate in high-level political circles over whether Clinton should be allowed to keep her security clearance or not during the FBI’s Clinton investigation. Predictably, Democrats say she should while Republicans say she shouldn’t. It was reported in late January 2016 that 22 emails on her unapproved private server contained “top secret” and even above “top secret” information. (Bloomberg News, 2/4/2016) 

In October 2015, the State Department reportedly confirmed to Senator Chuck Grassley (R) that Clinton still holds a security clearance for TS/SCI [Top Secret/Sensitive Compartmented Information] the highest-level security clearance, and apparently nothing has changed since then. It is standard practice for high-ranking officials to retain their clearances after leaving office. (The Free Beacon, 10/7/2015)

March 4, 2016: Clinton’s campaign accuses Inspector General Linick of bias without solid evidence; his staffers feel harassed.

Bloomberg News reports that “The Hillary Clinton campaign has gone on the attack against the government official who conducts oversight of the State Department she used to run [Inspector General Steve Linick], accusing him of partisanship and misconduct without any direct evidence.”

However, Linick is a difficult target because he “has never been regarded as a partisan official” and President Obama appointed him. So the attackers are focusing on Emilia DiSanto, who works in his office, and claim that she is influencing him too much. Clinton supporters argue DiSanto is biased against Clinton because she had previously worked as an investigator for Republican Senator Charles Grassley.

Bloomberg News reports that for Linick’s staff, “the accusations are impossible to confront head on because they are not authorized to speak on the record about ongoing investigations.” Furthermore, his office has been “receiving dozens of FOIA [Freedom of Information Act] requests aimed at gathering information on office staffers themselves. Sources in the inspector general office tell me they see the requests and accusations as an attempt to intimidate them and deter them from continuing Clinton-related work.” Bloomberg News concludes, “Accusing Linick’s staffers of misconduct due to their past work affiliations is a slippery slope; tons of government employees have connections on Capitol Hill.” (Bloomberg News, 3/4/2016)